Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton


Reported on

Dec 9th 2021


Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization.

Proof of Concept

  1. 1.Start a new web conference and share the link with other people
  2. 2.A malicious user joins the conference with the following username: <img%20src=#%20onerror=alert(document.cookie)>
  3. 3.As soon as the malicious user types on the "Shared notes" section (and the victim has the "Shared notes" section open) an alert popup is shown on the target user (in this case showing the document.cookie value ).


XSS vulnerabilities allow attackers to inject arbitrary javascript code to other users browser, leading to stealing user session cookies, defacing website, performing phishing and many others attacks.


User inputs should be always sanitized against such attacks to prevent attackers injecting malicious code. Is also important to perform output encoding in order to prevent unwanted code execution.


We are processing your report and will contact the bigbluebutton team within 24 hours. a year ago
We have contacted a member of the bigbluebutton team and are waiting to hear back a year ago
We have sent a follow up to the bigbluebutton team. We will try again in 7 days. a year ago
Anton Georgiev validated this vulnerability a year ago
lfama has been awarded the disclosure bounty
The fix bounty is now up for grabs
Anton Georgiev
a year ago


The "fix" has been to switch the fork where we pull a plugin from. This "fix" has been released with versions 2.3.17 and 2.4.0 and I'd rather wait a day or so before confirming it fully resolved. It's not a glorious fix, it's a packaging change.

a year ago


Hi Anton,

thank you for the update. I've just verified that the issue has been resolved in the new release and the XSS payload is not triggered anymore. Could you please confirm the report as resolved?

Thanks! Luca

a year ago


Hi Anton,

any update?

Thanks! Luca

Anton Georgiev marked this as fixed in 2.4.0 with commit 62040b a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
component.jsx#L1-L142 has been validated
to join this conversation